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Detailed Action 

This Office Action is response to tine application (10749502) filed on 10/31/2008. 

Claim Rejections - 35 USC § 103 

The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

Claims 1-2. 4 are rejected under 35 U.S.C. 103(a) as being unpatentable over Liang 
U.S. Patent Application Publication No US 20040205419 Further in view of Porras U.S. 
Patent Application Publication No. US 2003/0212903 in view of Gupta U.S. Patent No. 
US 7,234,168 further in view of Ishikawa U.S Patent app. No. US 2007/0079367. 

Regarding claim 1, Liang teaches wherein a method for detecting abnormal traffic at 
the network level using a statistical analysis, the method comprising the steps of: 

a) gathering local traffic data from each network device and integrating a plurality 
of the local traffic data to generate traffic data in the network level (FIG. 4, the data 
collected in the client devices 112, 120 and 124 are transferred to the server 108 
through uplink data paths 1121, 1201 and 1241, respectively. The data from the 
client devices 112, 120 and 124 are then processed In the correlative rules engine 
(CRE) 106. The correlative rules engine 106 analyzes data from all of the client 
devices, which also includes the ability to maintain and keep track of a plurality of 
alert levels occurring in different sensors with different client devices - [0043]). 
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With respect to claim 1 , Liang teaches the invention set forth above except for 
the claimed "extracting a characteristic traffic data based on the traffic data in the 
networl< lever. 

Porras further teaches wherein a) gathering local traffic data from each network 
device and integrating a plurality of the local traffic data to generate traffic data in the 
network level (Fig. 1, unit 12a -12c indicating the integrated of different domains in 
a network); 

b) extracting a characteristic traffic data based on the traffic data in the network 
level (characteristic data forms from the header of the pacl<et [0032]); 

c) comparing the characteristic traffic data with a predetermined characteristic 
traffic data profile resulting from statistical computations and representing normal traffic 
(Fig. 5, unit 78 (compare one of the short-term profiles to a corresponding long- 
term statistical profile), and determining whether there is abnormal traffic in the 
network (Fig. 4, unit 70 (Determine if statistical profile is abnormal); 

d) updating the predetermined characteristic traffic data profile using the 
characteristic traffic data if there is no abnormal traffic in the network, and analyzing 
volume amount_of the abnormal traffic and monitoring the abnormal traffic if there is 
abnormal traffic in the network (the monitor can respond by reporting (updating) the 
activity (i.e. seriousness of the abnormal traffic like privilege network errors and 
abnormal levels of the network level) to another monitor or by executing a 
countermeasure response [0071]). 
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It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Liang's invention by utilizing a method of network 
surveillance includes receiving network packets handled by a network entity and 
building at least one long-term and a least one short-term statistical profile from a 
measure of the network packets that monitors data transfers, errors, or network 
connections. A comparison of the statistical profiles is used to determine whether the 
difference between the statistical profiles indicates suspicious network activity, as taught 
by Porras. 

However, Porras teaches the invention set forth above except for the claimed "a 
single traffic sensing module". 

Gupta teaches that is well known to have trafTic a single sensing module (Fig. 2, 
unit 52 - Sensor IVIanagement IVIodule "A single sensor management system may be 
used to control multiple sets of primary sensors and redundant sensors"). 

e) transmitting the analysis result of the volume amount of the abnormal traffic to 
an abnormal traffic processing system (tlie overall volume of discarded packets as 
well as a measure analyzing the disposition of the discarded packets (abnormal 
packet) can provide insight into unintentionally malformed packets resulting from 
poor line quality or internal errors in neighboring hosts [0076]). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Liang's invention by utilizing a network security sensors 
and distributed network security sensor architectures used to implement intrusion 
detection and protection. In addition, a sensor management system is associated with a 



Application/Control Number: 10/749,502 Page 5 

Art Unit: 2446 

sensor or set of sensors. The sensor management system provides supervisory control 
of a sensor. The sensor management system may be used to implement a shared- 
resource virtual intrusion detection system, as discussed below. A single sensor 
management system may be used to control multiple sets of primary sensors and 
redundant sensors. The combination of the sensor, redundant sensor, and sensor 
management system is referred to as a local sensor security module. Furthermore, as 
it's disclosed the local sensor security modules may be distributed throughout a 
network. In this example, local sensor security modules 27 1 through 27 N are 
positioned between an enterprise network and Internet service providers 28 1 through 
28 N. In addition, a local sensor security module 27 0 is positioned between the 
enterprise network and a protected server , as taught by Gupta. 

However, Gupta is silent in terms of "to detect abnormal traffic without operation 
of a network manager, and processing tlie abnormal traffic to prevent a networl< failure." 

Ishikawa teaches wherein to detect abnormal traffic without operation of a 
network manager (abnormal traffic patterns - [0041]), and processing the abnormal 
traffic to prevent a network failure (the traffic analyzer 30 instructs the switching 
device 18 to cease announcing the server network address to the offending 
network -[0041]). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Liang's invention by utilizing the attempts to eliminate 
fraudulent requests to a server, or its firewall, are limited to blocking the source address, 
and preventing repeated requests to respond to one address via blocking the request. 
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Although these mechanisms can prevent fraudulent requests from being sent to, or 
received by, the server, to prevent the transmission of requests from the suspected 
traffic, the network device receiving the requests, such as, the routers or firewall, must 
review each incoming packet. Thus, although these requests can be identified, the 
identification of these requests require that the network device, such as, the router or 
firewall, look at each incoming packet to determine whether to block the transmission. 
As such, these solutions do not prevent the stifling of traffic flow and often still result in 
the router, firewall or server from being paralyzed as the problem is merely shifted 
between the devices within the network. Furthermore, detection system utilizes an 
activity monitoring system which monitors network devices, such as routers and 
firewalls, and determines whether abnormal activity or traffic patterns are 
emerging on the devices. If a determination is made that abnormal activity or 
abnormal traffic patterns exist, the activity monitoring system responds by 
blocking the activity or redirecting the traffic, as taught by Ishikawa. 

Regarding claim 2, Porras Gupta and Ishikawa together taught the method as in 
claims 1 & 4 above. Porras further teaches wherein the characteristic traffic data 
includes: 

information on traffic assigned to an application port which is selected according 
to an application service (TCP port identifier [0036]); 

information on traffic of which packet size is identical (networit measures 
number of pacltets and number of {kilobytes [0037]); and 
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information on traffic of which the number of source-destination pairs, which 
represents the number of source addresses of the traffic having the same target 
address (categorical measures including the network source and destination 
address [0036], packet source addresses and destination addresses match is 
given internal host [0033]). 

Claim 4 list all the same elements of claim 1, but in computer readable medium rather 
than method form. Therefore, the supporting rationale of the rejection to claim 1 
applies equally as well to claim 4. 

Response to Arguments 

Applicant's arguments with respect to claim1-2, 4 have been considered but are moot 
in view of the new ground(s) of rejection. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 

Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
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extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Sulaiman Nooristany whose telephone number is (571) 
270-1 929. The examiner can normally be reached on M-F from 9 to 5. If attempts to 
reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, 
can be reached on (571 ) 272-6798. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. Information regarding the 
status of an application may be obtained from the Patent Application Information 
Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to 
the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
9197 (toll-free). Sulaiman Nooristany 01/13/2009 



/Jeffrey Pwu/ 

Supervisory Patent Examiner, Art Unit 2446 



